To: 


Of: 
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Information Commissioner’s Office 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


Grocery Delivery E-Services UK Limited T/A HelloFresh. 


The Fresh Farm, 60 Worship Street, London, EC2A 2EZ 


The Information Commissioner (“the Commissioner”) has decided to 
issue Grocery Delivery E-Services UK Limited T/A HelloFresh 
(“HelloFresh”) with a monetary penalty under section 55A of the Data 
Protection Act 1998 (“DPA”). The penalty is in relation to a serious 
contravention of Regulation 22 of the Privacy and Electronic 
Communications (EC Directive) Regulations 2003 (“PECR”). 


This notice explains the Commissioner’s decision. 


Legal framework 


HelloFresh, whose registered office address is given above (Companies 
House Registration Number: 07893709 is the organisation stated in 
this notice to have transmitted unsolicited communications by means 
of electronic mail to individual subscribers for the purposes of direct 


marketing contrary to regulation 22 of PECR. 


Regulation 22 of PECR states: 
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“(1) This regulation applies to the transmission of unsolicited 


communications by means of electronic mail to individual 


subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a person 
shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 


communication. 


(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 
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Section 122(5) of the Data Protection Act 2018 “DPA18” defines direct 
marketing as “the communication (by whatever means) of advertising 
or marketing material which is directed to particular individuals”. This 


definition also applies for the purposes of PECR (see regulation 2(2) 
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 


From 1 January 2021, consent in PECR has been defined by reference 
to the concept of consent in the UK GDPR as defined in section 3(10) of 
the DPA 2018!]; see regulation 2(1) of PECR, as amended by Part 3 of 
Schedule 3, paragraph 44 of The Data Protection, Privacy and 
Electronic Communications (Amendments etc) (EU Exit) Regulations 
2019/419. Article 4(11) of the UK GDPR sets out the following 
definition: “'consent’ of the data subject means any freely given, 
specific, informed and unambiguous indication of the data subject's 
wishes by which he or she, by a statement or by a clear affirmative 
action, signifies agreement to the processing of personal data relating 


to him or her”. 


Recital 32 of the [UK] GDPR materially states that “When the processing 
has multiple purposes, consent should be given for all of them”. Recital 
42 materially provides that "For consent to be informed, the data subject 
should be aware at least of the identity of the controller”. Recital 43 
materially states that "Consent is presumed not to be freely given if it 
does not allow separate consent to be given to different personal data 


processing operations despite it being appropriate in the individual case”. 


“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 


(1 The UK GDPR is therein defined as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 
April 2016 (“GDPR”) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue 
of section 3 of the European Union (Withdrawal) Act 2018. 
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A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 


a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


“Electronic mail” is defined in regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 
communications network which can be stored in the network or in the 
recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 


Section 55A of the DPA (as applied to PECR cases by Schedule 1 to 


PECR, as variously amended) states: 


"“(1) The Commissioner may serve a person with a monetary penalty if 


the Commissioner is satisfied that - 


(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC 
Directive) Regulations 2003 by the person, 
(b) subsection (2) or (3) applies. 
(2) This subsection applies if the contravention was deliberate. 


(3) This subsection applies if the person - 


(a) knew or ought to have known that there was a risk that the 


contravention would occur, but 


(b) failed to take reasonable steps to prevent the 


contravention.” 


The Commissioner has issued statutory guidance under section 55C (1) 
of the DPA about the issuing of monetary penalties that has been 
published on the ICO’s website. The Data Protection (Monetary 


Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe 
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that the amount of any penalty determined by the Commissioner must 
not exceed £500,000. 


PECR were enacted to protect the individual's fundamental right to 
privacy in the electronic communications sector. PECR were 
subsequently amended and strengthened. The Commissioner will 
interpret PECR in a way which is consistent with the Regulations’ 
overall aim of ensuring high levels of protection for individuals’ privacy 


rights. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the DPA18: see paragraph 58(1) of 
Schedule 20 to the DPA18. 


Background to the case 


HelloFresh is an online meal order business operating within the food 
and beverage sector. HelloFresh delivers ingredients and recipes in 
food boxes to its customers, which the customer can then use to 
prepare meals. HelloFresh provides its meal delivery services on a 


subscription plan basis. 


The Commissioner's investigation into HelloFresh was launched 
following a review of data from the UK’s Spam Reporting Service, 
7726. 


Mobile users can report the receipt of unsolicited marketing text 
messages to the Mobile UK’s Spam Reporting Service by forwarding the 
message to 7726 (spelling out “SPAM”). Mobile UK is an organisation 
that represents the interests of mobile operators in the UK. The 


Commissioner is provided with access to the data on complaints made 
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to the 7726 service and this data is used to ascertain organisations in 
breach of PECR. 


Between 27 September 2021 and 23 February 2022, 15,221 
complaints were logged with the 7726 service in relation to messages 


from HelloFresh. 


Furthermore, between 28 September 2021 and 6 November 2021, the 
ICO online reporting tool received 14 complaints about unsolicited SMS 


messages from HelloFresh. 


Between 21 October 2021 and 24 May 2022, the ICO received three 


complaints about direct marketing emails sent by HelloFresh. 


Complainant's comments about the messages they received from 


HelloFresh are included below. 


e "Annoying - how are these mobile numbers contacting me?? dont 
[sic] know how to stop them I [sic] can only block them. I used 


HelloFresh once, ages ago, but this is from a UK mobile number... ?" 


e "I had previously replied STOP to this number over a year ago. I 
received a confirmation that I had opted out of promotional SMS, 


and have had no relationship with the company since then." 


e "It arrived at unsociable hours after previous attempts to get the 


mr 


company to stop contacting me disturbing sleep 


e “I had previously bought from this company and ensured that I did 
not consent to marketing material. I was not happy with their 


service so cancelled my subscription. Recently (last 1-2 months) I 
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have started regularly receiving unsolicited advertising emails from 
the company, and now they are sending unsolicited text messages. 
It seems to be a growing trend - companies that I have previously 
bought from and had no problems with in the past suddenly start 


sending large numbers of advertising emails and text messages to 


past customers.” 


e “Ive asked this company to stop marketing in the past but they still 


send stuff.” 


e “I have explicitly withdrawn consent to marketing previously, so 


am annoyed that the company has contacted me.” 


On 10 March 2022, the Commissioner sent an initial investigation letter 
and a spreadsheet of complaints to HelloFresh. The letter requested 
information about HelloFresh’s marketing activities between the period 
of 23 August 2021 and 23 February 2022. It also requested information 
about how HelloFresh obtained consent from individuals to send them 


direct marketing communications. 


HelloFresh replied to the initial investigation letter on 30 March 2022. 
In its response, HelloFresh stated that it had consent to contact the 
individuals who had complained to the 7726 service. It also explained 
that it sends SMS based direct marketing to two groups of data 
subjects. The first group is “active UK customers”, which it defined as 
“customers who have an active, or paused subscription.” The second 
group is “reactivation customers”, these are former customers that 
have cancelled their subscription within the last 24 months but have 


consented to receive SMS based marketing messages from HelloFresh. 
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HelloFresh explained that before sending marketing messages, it 
checked the target telephone number against the relevant customer’s 
communication settings for their account. Once screening was 
completed, a third-party provider sent the SMS message on behalf of 


HelloFresh. HelloFresh stated that it removed individuals from its 


marketing list within 30 days of them making a removal request. 


HelloFresh confirmed that between 23 August 2021 and 23 February 
2022, it sent 1,939,487 SMS messages to active and reactivation 


customers. Of these, 1,113,734 messages were delivered. 


As part of its 30 March 2022 response to the Commissioner’s 
questions, HelloFresh provided various information and documents. 


This included a tick box with the following consent statement next to it: 


"Yes, I'd like to receive sample gifts (including alcohol) and other 
offers, competitions and news via email. By ticking this box I 


confirm I am over 18 years old”. 


Another screenshot provided by HelloFresh showed that users could 
update their communication preferences in the app. However, the 
preference settings did not allow users to set their marketing 
preferences by reference to the communication channel used for direct 


marketing (e.g. phone, text or email). 


There was no information in the screenshots that informed a customer 
about the length of time that they could receive marketing 


communications from HelloFresh after cancelling their subscription. 


As part of its correspondence with the Commissioner, HelloFresh 
provided various other supporting documents including a calling script 


for marketing calls made by HelloFresh, a training document in respect 
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of telephone marketing, a data protection policy, an information 


security policy and HelloFresh's ICO registration certificate. 


HelloFresh also provided its analysis of the complaints to the 7726 
service. HelloFresh believed that of the 15,221 complaints to the 7726 
service, only 8,729 were valid complaints about marketing. The 


Commissioner agrees with this assessment. 


In further correspondence with the Commissioner, HelloFresh 
confirmed that between 23 August 2021 and 23 February 2022, it sent 
79,940,241 marketing emails of which 79,779,279 were received by 


recipients. 


The Commissioner has made the above findings of fact on the 


balance of probabilities. 


The Commissioner has considered whether those facts constitute 
a contravention of regulation 22 of PECR by HelloFresh and, if so, 


whether the conditions of section 55A DPA are satisfied. 
The contravention 


The Commissioner finds that HelloFresh contravened regulation 22 of 
PECR. 


The Commissioner finds that the contravention was as follows: 


The Commissioner finds that between 23 August 2021 and 23 February 
2022 there were 80,893,013 direct marketing messages, comprised of 
79,779,279 emails and 1,113,734 SMS messages, received by 

subscribers. The Commissioner finds that HelloFresh transmitted those 


direct marketing messages, contrary to regulation 22 of PECR. 
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HelloFresh, as the sender of the direct marketing, is required to ensure 


that it is acting in compliance with the requirements of regulation 22 of 


PECR, and to ensure that valid consent to send those messages had 


been acquired. 


HelloFresh is required to demonstrate that the consent is freely given, 


specific, informed, and contains an unambiguous indication from the 


individual via an affirmative action. 


Of particular relevance in this case, is the fact that for consent to be 


valid it is required to be “specific” as to the type of marketing 


communication to be received, and the organisation, or specific type of 


organisation, that will be sending it. 


In addition, consent will not be “informed” if individuals do not 


understand what they are consenting to. Organisations should 


therefore always ensure that the language used is clear, easy to 


understand, and not hidden away in a privacy policy or small print. 


The consent statement relied on by HelloFresh for its email and SMS 


direct marketing was as described in paragraph 26. It is the 


Commissioner's finding that this statement does not satisfy the 


requirement for consent to be "specific" and "informed" because: 


the consent statement did not mention that SMS would be used as 


a channel for direct marketing purposes; 


the consent statement was not clear (and was bundled with other 


aspects) as it combined an age confirmation statement and consent 


to receive free samples with a consent for direct marketing via 


email; and 
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e customers were not given sufficient information to make them 
aware that they could receive direct marketing messages up to 24 


months after they had cancelled their subscription with HelloFresh. 


It is the Commissioner's view that it would not be in the reasonable 
expectations of former customers that they would receive direct 
marketing up to 24 months after ending their subscription contract with 


HelloFresh. 


The Commissioner is therefore satisfied from the evidence he has seen 
that HelloFresh did not have the necessary valid consent for the 


80,893,013 direct marketing messages received by subscribers. 


The Commissioner has gone on to consider whether the conditions 
under section 55A DPA 1998 are met. 


Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 
above was serious. This is because between 23 August 2021 and 23 
February 2022, a confirmed total of 80,893,013 direct marketing 
messages were sent by HelloFresh. These messages contained direct 
marketing material for which subscribers had not provided valid 


consent. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA is met. 


Deliberate or negligent contraventions 
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The Commissioner has considered whether the contravention identified 
above was deliberate. In the Commissioner’s view, in order to make a 
finding that a deliberate contravention has occurred, this would require 
that HelloFresh's actions, which constituted that contravention, to be 


deliberate actions (even if HelloFresh did not actually intend thereby to 


contravene PECR). 


The Commissioner does not consider that HelloFresh deliberately set 


out to contravene PECR in this instance. 


The Commissioner has gone on to consider whether the contravention 
identified above was negligent. This consideration comprises two 


elements: 


Firstly, he has considered whether HelloFresh knew or ought 
reasonably to have known that there was a risk that these 
contraventions would occur. He is satisfied that this condition is met, 
as HelloFresh failed to exercise proper due care to avoid conducting 
unsolicited marketing, including evidence presented to the 
Commissioner indicating that HelloFresh had a misunderstanding of the 
relationship between PECR and the UK GDPR. 


The Commissioner has published detailed guidance for those carrying 
out direct marketing explaining their legal obligations under PECR. This 
guidance gives clear advice regarding the requirements of consent for 
direct marketing and explains the circumstances under which 
organisations are able to carry out marketing over the phone, by text, 
by email, by post, or by fax. In particular it states that organisations 
can generally only send, or instigate, marketing messages to 
individuals if that person has specifically consented to receiving them. 


The Commissioner has also published detailed guidance on consent 
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under the GDPR. In case organisations remain unclear on their 


obligations, the ICO operates a telephone helpline. ICO 


communications about previous enforcement action where businesses 


have not complied with PECR are also readily available. 


It is therefore reasonable to suppose that HelloFresh should have been 


aware of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether 


HelloFresh failed to take reasonable steps to prevent the 


contraventions. Again, he is satisfied that this condition is met. 


Reasonable steps in these circumstances may have included: 


ensuring that the consent statements relied on for direct marketing 
met the requirements of the UK GDPR and had been reviewed 


against guidance from the Commissioner; 


providing mechanisms that allow individuals to easily select the 


channels that they consent to receiving direct marketing through; 


providing privacy notices to individuals that clearly explained how 
long they would continue to receive direct marketing for after 
cancelling their subscription (in addition to providing clear 
transparency information about the use of personal data for direct 
marketing and how individuals could exercise their rights in relation 


to direct marketing); 
documenting internal policies, procedures and training that clearly 


demonstrated an organisational understanding of PECR 


requirements and the interplay with the UK GDPR. 
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In the circumstances, the Commissioner is satisfied that HelloFresh 


failed to take reasonable steps to prevent the contraventions. 


The Commissioner is therefore satisfied that condition (b) from section 
55A (1) DPA is met. 


The Commissioner's decision to issue a monetary penalty 


The Commissioner notes there are no aggravating features in this case. 


The Commissioner also acknowledges that HelloFresh has fully 
cooperated with the investigation, and has taken steps to improve its 
marketing practices and customer journey following this investigation. 


However, no other mitigating features have been identified in this case. 


For the reasons explained above, the Commissioner is satisfied that the 
conditions from section 55A (1) DPA have been met in this case. He is 
also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent, in which the 
Commissioner set out his preliminary thinking. In reaching his final 
view, the Commissioner has taken into account the representations 


made by HelloFresh on this matter. 


The Commissioner is accordingly entitled to issue a monetary penalty 


in this case. 


The Commissioner has considered whether, in the circumstances, he 


should exercise his discretion so as to issue a monetary penalty. 
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The Commissioner has considered the likely impact of a monetary 
penalty on HelloFresh. He has decided on the information that is 
available to him, that a penalty remains the appropriate course of 


action in the circumstances of this case. 


The Commissioner’s underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 
unsolicited direct marketing messages is a matter of significant public 
concern. A monetary penalty in this case should act as a general 
encouragement towards compliance with the law, or at least as a 
deterrent against non-compliance, on the part of all persons running 
businesses currently engaging in these practices. The issuing of a 
monetary penalty will reinforce the need for businesses to ensure that 
they are only messaging those who specifically consent to receive 


direct marketing. 


In making his decision, the Commissioner has also had regard to the 
factors set out in s108(2)(b) of the Deregulation Act 2015; including: 
the nature and level of risks associated with non-compliance, including 
the risks to economic growth; the steps taken by the business to 
achieve compliance and reasons for its failure; the willingness and 
ability of the business to address non-compliance; the likely impact of 
the proposed intervention on the business, and the likely impact of the 
proposed intervention on the wider business community, both in terms 
of deterring non-compliance and economic benefits to legitimate 


businesses. 


For these reasons, the Commissioner has decided to issue a monetary 


penalty in this case. 
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The amount of the penalty 
Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £140,000 (one hundred and forty 
thousand pounds) is reasonable and proportionate given the 
particular facts of the case and the underlying objective in imposing the 


penalty. 
Conclusion 


The monetary penalty must be paid to the Commissioner’s office by 
BACS transfer or cheque by 13 February 2024 at the latest. The 
monetary penalty is not kept by the Commissioner but will be paid into 
the Consolidated Fund which is the Government’s general bank account 
at the Bank of England. 


If the Commissioner receives full payment of the monetary penalty by 
12 February 2024 the Commissioner will reduce the monetary 
penalty by 20% to £112,000 (one hundred and twelve thousand 
pounds). However, you should be aware that the early payment 


discount is not available if you decide to exercise your right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


(a) the imposition of the monetary penalty 
and/or; 
(b) the amount of the penalty specified in the monetary penalty 


notice. 


Any notice of appeal should be received by the Tribunal within 28 days 
of the date of this monetary penalty notice. 
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Information about appeals is set out in Annex 1. 


The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the monetary 


penalty has not been paid; 


e all relevant appeals against the monetary penalty notice and any 


variation of it have either been decided or withdrawn; and 


e the period for appealing against the monetary penalty and any 


variation of it has expired. 


In England, Wales and Northern Ireland, the monetary penalty is 
recoverable by Order of the County Court or the High Court. In 
Scotland, the monetary penalty can be enforced in the same manner as 
an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 


Dated the 11 day of January 2024 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 55B(5) of the Data Protection Act 1998 gives any person 
upon whom a monetary penalty notice has been served a right of 
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) 


against the notice. 
2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of 
discretion by the Commissioner, that he ought to have exercised 


his discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3; You may bring an appeal by serving a notice of appeal on the 


Tribunal at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LE1 8DJ 
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Telephone: 0203 936 8963 
Email: grc@justice.gov.uk 


a) The notice of appeal should be sent so it is received by the 


Tribunal within 28 days of the date of the notice. 

b) If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 
rule. 


The notice of appeal should state:- 


a) your name and address/name and address of your 


representative (if any); 


b) an address where documents may be sent or delivered to 


you; 

c) the name and address of the Information Commissioner; 
d) details of the decision to which the proceedings relate; 
e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the 


monetary penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the 


notice of appeal must include a request for an extension of time 
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and the reason why the notice of appeal was not provided in 


time. 


5. Before deciding whether or not to appeal you may wish to consult 
your solicitor or another adviser. At the hearing of an appeal a party 
may conduct his case himself or may be represented by any person 


whom he may appoint for that purpose. 


6. The statutory provisions concerning appeals to the First-tier 
Tribunal (Information Rights) are contained in section 55B(5) of, and 
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure 
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009 
(Statutory Instrument 2009 No. 1976 (L.20)). 
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